Amazon Athena
As a best practice, set up a dedicated AWS IAM Service Account user and assign it a specific role(s) before configuring Connecty. This approach isolates your integration credentials and simplifies permission management, ensuring a seamless no-code connection.
Connecty AI offers the most complete experience when your Athena catalog is AWS Glue; in this setup we can surface richer table and column metadata. Other catalog types (e.g., external Hive metastores or Athena Federated Query sources) are supported for querying, but metadata coverage may be limited. This does not affect query execution.
Prerequisites
Service Account user with CLI access credentials available.
Dedicated IAM role which provide access to Amazon Athena and related resources (Glue and S3) and can be assumed by the Service Account.
Dedicated output location on S3 bucket.
AWS region in which Amazon Athena catalog is stored.
Service Account
Service Account (SA) is a technical IAM user which is created primarily for other programs to access some of AWS resources. A good practice is to limit SA permissions to just one - to assume IAM role which would cover set of permissions for that user.
Once the SA use is created, we should generate credentials. It can be done in AWS IAM -> your SA user name -> Security Credentials -> Create Access Key . That should generate aws_access_key_id and aws_secret_access_key.
Examples:
✅
AKIAIOSFODNN7EXAMPLE(Access Key ID)✅
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY(Secret Access Key)
AWS Role
To enable Connecty AI access to your Amazon Athena catalog, there needs to be an AWS IAM Role, which can be assumed by the Service Account and has permissions, to access the Amazon Athena catalog.
Please make sure that the new IAM Role dedicated for Connecty AI access has trust relationship set up, like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowConnectyAIUserToAssume",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT:user/SA_USER_NAME"
},
"Action": "sts:AssumeRole"
}
]
}To fully enable ConnectyAI to access your Amazon Athena catalog, that new IAM Role should attach an IAM Policy which contains at least the following permissions. Please update resource accordingly to your Amazon Athena configuration.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AthenaListGlobal",
"Effect": "Allow",
"Action": [
"athena:ListWorkGroups",
"athena:ListDataCatalogs"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "REGION"
}
}
},
{
"Sid": "AthenaListDatabasesAndTablesInAllowedCatalogs",
"Effect": "Allow",
"Action": [
"athena:ListDatabases",
"athena:ListTableMetadata"
],
"Resource": [
"arn:aws:athena:REGION:ACCOUNT:datacatalog/AwsDataCatalog",
"arn:aws:athena:REGION:ACCOUNT:datacatalog/anotherCatalog"
]
},
{
"Sid": "AthenaStartQueryInWorkgroupAndDb",
"Effect": "Allow",
"Action": "athena:StartQueryExecution",
"Resource": "arn:aws:athena:REGION:ACCOUNT:workgroup/primary"
},
{
"Sid": "AthenaReadExecAndHistory",
"Effect": "Allow",
"Action": [
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:BatchGetQueryExecution",
"athena:ListQueryExecutions"
],
"Resource": "arn:aws:athena:REGION:ACCOUNT:workgroup/primary"
},
{
"Sid": "GlueReadOnly",
"Effect": "Allow",
"Action": [
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables",
"glue:GetPartition",
"glue:GetPartitions"
],
"Resource": [
"arn:aws:glue:REGION:ACCOUNT:*"
]
},
{
"Sid": "ReadDataBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::SOURCE_BUCKET"
},
{
"Sid": "ReadDataObjects",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::SOURCE_BUCKET/*"
},
{
"Sid": "WriteResultsBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::OUTPUT_BUCKET"
},
{
"Sid": "PutResultsObjects",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::OUTPUT_BUCKET/*"
}
]
}In some cases permissions listed above might be configured on AWS IAM User level, opposed to defined within a AWS IAM Role which is assumed by the SA user, in those cases there is no need to pass AWS Role ARN in the new Connection form.
In case of catalogs other than AWS Glue, the permissions above need to be extended accordingly—for example, allow athena:ListDatabases/athena:ListTableMetadata on the specific Data Catalog ARNs, and for Federated Query also allow lambda:InvokeFunction (connector), plus any required Secrets Manager/KMS access.
S3 Bucket output location
The S3 Output Location in the Connection form states the S3 Bucket path where AWS Athenea will write query results and metadata. SA user needs to have write access to that location.
Examples:
✅
s3://analytics-prod/athena/results/❌
s3://analytics-prod/athena/results(does not include trailing slash)❌
https://s3.amazonaws.com/analytics-prod/athena/results/(users3://protocol, instead ofHTTPURI).
Workgroup
The workgroup parameter in the Connection form represents Amazon Athena workgroup , which determines execution settings and query configurations. This is optional parameter. If left empty, then default primary work group will be used.
Last updated